Advisories » MGASA-2016-0012

Updated apache-commons-collections packages fix security vulnerability

Publication date: 14 Jan 2016
Modification date: 14 Jan 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-7501

Description

It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library (CVE-2015-7501).

With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that
require those classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17227
• https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
• https://rhn.redhat.com/errata/RHSA-2015-2522.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501

SRPMS

5/core

• apache-commons-collections-3.2.1-24.1.mga5